As a website administrator, keeping your site online during large traffic spikes is what you strive for. But how can you be sure traffic spikes are legitimate? And more importantly, how do you react when they aren’t? The unfortunate reality is DDoS attacks can be a threat for websites big and small. In this post, we’ll cover some essential fundamentals on how to stop a DDoS attack and prevent them from happening in the future.
So, let’s dive in to the warning signs and help you sort out how to stay online — even during a massive DDoSing.
Contents:
- What is Distributed Denial-of-Service (DDoS)?
- Types of DDoS attacks
- How to check for DDoS attacks
- What to do during a DDoS attack
- How to stop a DDoS attack
What is Distributed Denial-of-Service (DDoS)?
A Distributed Denial-of-Service (DDoS) attack is a cyber assault where regular traffic to a particular server, service, or network is interrupted by a deluge of internet traffic. This onslaught is typically orchestrated using multiple compromised computers or networked resources, including Internet of Things (IoT) devices.
Simply put, think of a DDoS attack as an impromptu, massive traffic jam on a highway that stops regular commuters— in this case, your website visitors— from reaching their desired destination.
Types of DDoS attacks
There are a number of different types of DDoS attacks. These threats prevent legitimate users from accessing your website by sending bogus requests or more traffic to the server than it can handle.
Here are a few of the most common types of DDoS attacks.
Volume-based DDoS attacks
The goal of a volume-based DDoS attack is to overload the website’s bandwidth or cause CPU or IOPS usage issues. If the attacker overloads your resources, the attack has been successful.
Some examples of volume-based DDoS attacks include:
- UDP floods
- ICMP floods
- Ping floods
Protocol-based DDoS attacks
The goal of a protocol-based DDoS attack is to exploit weaknesses in Layer 3 and Layer 4 protocol stacks to consume server or networking hardware resources, resulting in service disruption. If the attacker sends more bandwidth than your network ports can handle or more packets than your server can handle, the attack has been successful.
Some examples of protocol-based DDoS attacks include:
- Ping of death
- SYN flood
Application layer DDoS attacks
The goal of an application layer attack is to target CPU, memory, or resources that focus on the web application layer, including hitting the web server, running PHP scripts, or contacting the database to load just a single web page.
Some examples of application layer DDoS attacks include:
- Attacks targeting the DNS server
- Layer 7 HTTP flood cache bypass
- Layer 7 HTTP flood attack
So let’s position your site against these threats.
The impact and effects of DDoS
The cost for being unprepared to mitigate a DDoS attack can affect loss of traffic for an indeterminable amount of time; but also that time can lead to loss of reputation and sales. These can have the greatest impact on your business.
Here are a few things to understand about DDoS attacks that highlight their impact;
- It costs at little as $150 for criminals / attackers to buy a week-long DDoS attack on the black market.
- A small DDoS attack could cost as little as $10 for the attacker.
- More than 2,000 DDoS attacks occur worldwide every single day.
- The cost of a DDoS attack for the victim can spike to thousands or millions, plus there are some unmeasurable costs—like time, and bandwidth charges.
Still have questions about DDoS? Check out this video goes into detail about what DDoS attacks are.
How to check for DDoS attacks
It is important to monitor your website traffic for peaks that can allude to DDoS attacks.
There are DDoS attacks made of huge amounts of traffic. These are called volumetric attacks. Most of the time, they are network-based (layer 3 and layer 4 attacks), but not all DDoS attacks are volumetric. We demonstrated during a free webinar how a live DDoS attack from a single machine targets the website’s search engine to take it down. The traffic can be low as 1 request per second as long as targeting a vulnerable endpoint.
It would be great if your website got millions of new visitors in one hour, but wouldn’t it be suspicious?
A dramatic increase in traffic is a red flag for DDoS attacks. We highly recommend you have monitoring tools in place and always check your logs. Have alerts set up in the event you exceed a threshold specific to the number of requests / visitors targeting your site.
Some other indications to consider:
- The time of day these visits occur. Would your business see a spike at 2:00am local time?
- Where these visits come from. Would you expect traffic from Indonesia if you’re a local bakery in Canada?
- The time of year these visits occur. Ensure that you also adjust for expected legitimate surges. If you sell fireworks, then expect a surge in traffic leading up to New Year’s Eve and account for this within your monitoring tools.
Note: Googlebot makes repeated requests to your website, which can seem like suspicious behavior on the surface. Googlebot and other search engine crawlers are vital to having a website rank correctly in searches. After all, we all want to rank higher in search results! We have a post that helps highlight the difference between Googlebot legitimate crawling a website and a DDoS attack.
What to do during a DDoS attack
It seems obvious — block them! However, there are few main checklist items that apply to any company when looking to prevent or respond to a DDoS attack. These items include:
- Systems checklist. Develop a full list of assets you should implement to ensure proper DDoS identification and prevention. Using filtering tools will also ensure that components of hardware/software are properly configured.
- Form a response plan. Define responsibilities for key team members to ensure an organized reaction to the attack happens; a 24/7 window of response.
- Define alternate methods or solution. Make sure your team members know exactly whom to contact in case the attack exceeds your capabilities.
- Communicate about expected downtime. If you have customers or host services on your website, consider developing communication workflows to ensure clients and users are aware of any potential degradation of performance as a result of the attack.
Next, let’s take a look at some steps to help stop a DDoS attack before it affects your website and traffic.
How to stop a DDoS attack
There are a number of important steps you can take to stop a DDoS attack in its tracks.
1. Identify the DDoS attack
Catching a DDoS attack early makes all the difference in reducing impact and downtime for your website. If you are running your own web servers, ensure you have services that can help you monitor when you are coming under DDoS attack.
2. Maintain sufficient bandwidth and resources
Your web server should already be set up to accommodate unexpected increases in traffic, especially if you are running advertisements, campaigns, or special offers. These extra resources can also buy you a few extra minutes of time to react to a DDoS attack before your website’s resources are overwhelmed.
3. Defend your network perimeter
If you run your own web server, there are a few steps you can take to mitigate the effects of a DDoS attack. For example, you can limit the number of requests your web server accepts over time, add filters to drop packets if you know from specific sources if you are able to identify where the attack is originating, or set lower ICMP, SYN, and UDP flood drop thresholds — but unfortunately, these aren’t particularly effective against especially large, highly sophisticated DDoS attacks.
4. Leverage a web application firewall (WAF)
A web application firewall (WAF) can help address DDoS and DoS attacks, layer 7 threats, bad bots and even virtually patch known website vulnerabilities. The WAF is essentially a layer of protection that sits between a website and the traffic it receives. We dive deeper into the topic in this article about what is a WAF.
There are several WAF solutions that will offer automated mitigation of DDoS threats, but one of the best ways to define which WAF works the best for your application is to analyze how effective the protection is—whether it’s within the budget or if your team can properly configure it.
5. Enable country blocking
Country-based blocking is typically effective at minimizing risks. It can also help in complying with some organizational policies whose intention is indeed to “block hackers”. Here are a couple of things to note:
- Regional origin is irrelevant to computers; a website firewall can only see IP addresses. Inferring geography from IP addresses relies on big tables that are never completely up to date.
- Working around these blocking systems is trivial for attackers. It suffices to use some form of anonymous proxy or proxying from outside of the blocked country list, and this happens “naturally” when using Tor, which is a free and open-source software for enabling anonymous communication.
It’s not to say that country blocking won’t help prevent DDoS threats; but be sure to understand the implication behind blocking out the entire world except your country. It may not be as black and white a solution as others may lead you to believe. Country blocking is a way to enhance an actual protection against DDoS attacks, such as a website firewall.
Nowadays, most botnets are made of thousands of hacked websites, compromised CCTVs, infected computers, and other internet of things devices. The attacks are distributed all over the world. Having said that, country blocking can prevent thousands of mindless bots from spamming the connection logs. Definitely a plus!
Learn more about how to stop a DDoS attack
We’ve put together a comprehensive guide outlining what a DDoS attack is, why they happen to websites of all sizes, and how you can prevent DDoS from harming your traffic and server resources.
If you’re interested in knowing more about a web application firewall’s ability to stop DDoS, check out the video below — it clearly demonstrates how the Sucuri Firewall can help to mitigate DDoS.
If you’re looking for a hand stopping a DDoS attack, implementing website monitoring, or just have security questions in general — reach out! Our experienced analysts are available to chat 24/7 to help you with your website.